public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { boolean readable = canAccess(user, workspace, AccessMode.READ); boolean writable = canAccess(user, workspace, AccessMode.WRITE); boolean adminable = canAccess(user, workspace, AccessMode.ADMIN); CatalogMode mode = getMode(); if (readable && writable) { if (AdminRequest.get() == null) { // not admin request, read+write means full acesss return null; } } return new WorkspaceAccessLimits(mode, readable, writable, adminable); }
private void rebuildAuthorizationTree(boolean force) { long daoLastModified = dao.getLastModified(); if (lastLoaded < daoLastModified || force) { root = buildAuthorizationTree(dao); lastLoaded = daoLastModified; } }
public DataAccessLimits getAccessLimits(Authentication user, ResourceInfo resource) { boolean read = canAccess(user, resource, AccessMode.READ); boolean write = canAccess(user, resource, AccessMode.WRITE); Filter readFilter = read ? Filter.INCLUDE : Filter.EXCLUDE; Filter writeFilter = write ? Filter.INCLUDE : Filter.EXCLUDE; return buildLimits(resource.getClass(), readFilter, writeFilter); }
public boolean canAccess( Authentication user, LayerInfo layer, AccessMode mode, boolean directAccess) { checkPropertyFile(); if (layer.getResource() == null) { LOGGER.log( Level.FINE, "Layer " + layer + " has no attached resource, " + "assuming it's possible to access it"); // it's a layer whose resource we don't know about return true; } else { return canAccess(user, layer.getResource(), mode, directAccess); } }
public boolean canAccess( Authentication user, ResourceInfo resource, AccessMode mode, boolean directAccess) { checkPropertyFile(); String workspace; final String resourceName = resource.getName(); boolean rulesAllowAccess = securityNode.canAccess(user, mode); if (catalogNodeDepth == SecureTreeNode.RESOURCE_DEPTH || !layerGroupContainmentCheckRequired()) { return rulesAllowAccess; return false; SecureTreeNode node = getNodeForGroup(gi); return (node != null && node.getDepth() > catalogNodeDepth) || (sg.getMode() == Mode.OPAQUE_CONTAINER); && canAccess(user, gi, directAccess) && (!directAccess || allowsAccessViaNonOpaqueGroup( gi, resource)); }); SecureTreeNode node = getNodeForGroup(gi); return node == null && canAccess(user, gi, directAccess) && (!directAccess || allowsAccessViaNonOpaqueGroup(gi, resource)); });
DataAccessLimits buildLimits( Class<? extends ResourceInfo> resourceClass, Filter readFilter, Filter writeFilter) { CatalogMode mode = getMode(); // allow the secure catalog to avoid any kind of wrapping if there are no limits if ((readFilter == null || readFilter == Filter.INCLUDE) && (writeFilter == null || writeFilter == Filter.INCLUDE || WMSLayerInfo.class.isAssignableFrom(resourceClass) || WMTSLayerInfo.class.isAssignableFrom(resourceClass) || CoverageInfo.class.isAssignableFrom(resourceClass))) { return null; } // build the appropriate limit class if (FeatureTypeInfo.class.isAssignableFrom(resourceClass)) { return new VectorAccessLimits(mode, null, readFilter, null, writeFilter); } else if (CoverageInfo.class.isAssignableFrom(resourceClass)) { return new CoverageAccessLimits(mode, readFilter, null, null); } else if (WMSLayerInfo.class.isAssignableFrom(resourceClass)) { return new WMSAccessLimits(mode, readFilter, null, true); } else if (WMTSLayerInfo.class.isAssignableFrom(resourceClass)) { return new WMTSAccessLimits(mode, readFilter, null); } else { LOGGER.log( Level.INFO, "Warning, adapting to generic access limits for unrecognized resource type " + resourceClass); return new DataAccessLimits(mode, readFilter); } }
private static DefaultResourceAccessManager buildDefaultResourceAccessManager() { return new DefaultResourceAccessManager( GeoServerExtensions.bean(DataAccessRuleDAO.class), (Catalog) GeoServerExtensions.bean("rawCatalog")); }
public boolean canAccess(Authentication user, WorkspaceInfo workspace, AccessMode mode) { checkPropertyFile(); SecureTreeNode node = root.getDeepestNode(new String[] {workspace.getName()}); if (node.canAccess(user, mode)) { return true; } // perform a drill down search, we still allow access to the workspace // if there is anything inside the workspace that can be read (otherwise // we are denying access to everything below it, which is not the spirit of the // tree override design) if (mode == AccessMode.READ && canAccessChild(node, user, mode)) { return true; } else { return false; } }
private boolean canAccess( Authentication user, LayerGroupInfo layerGroup, boolean directAccess) { String[] path = getLayerGroupPath(layerGroup); SecureTreeNode node = root.getDeepestNode(path); boolean catalogNodeAllowsAccess = node.canAccess(user, AccessMode.READ); return gi != null && canAccess(user, gi, directAccess); });
@Override public LayerGroupAccessLimits getAccessLimits(Authentication user, LayerGroupInfo layerGroup) { return getAccessLimits(user, layerGroup, Collections.emptyList()); } }
@Override public boolean canAccess(Authentication user, ResourceInfo resource, AccessMode mode) { return canAccess(user, resource, mode, true); }
/** * Returns true if the user can access the specified node, or one of the nodes below it * * <p>the specified nodes * * @param node * @param user * @param mode * @return */ private boolean canAccessChild(SecureTreeNode node, Authentication user, AccessMode mode) { if (node.canAccess(user, mode)) { return true; } for (SecureTreeNode child : node.getChildren().values()) { if (canAccessChild(child, user, mode)) { return true; } } return false; }
/** * Returns true if there is a path from the group to the resource that does not involve crossing * a opaque group */ private boolean allowsAccessViaNonOpaqueGroup(LayerGroupInfo gi, ResourceInfo resource) { for (PublishedInfo pi : gi.getLayers()) { if (pi instanceof LayerInfo) { if (resource.equals(((LayerInfo) pi).getResource())) { return true; } } else { LayerGroupInfo lg = (LayerGroupInfo) pi; if (lg.getMode() != LayerGroupInfo.Mode.OPAQUE_CONTAINER && allowsAccessViaNonOpaqueGroup(lg, resource)) { return true; } } } return false; }
private SecureTreeNode getNodeForGroup(LayerGroupInfo lg) { SecureTreeNode node; if (lg.getWorkspace() == null) { node = root.getNode(lg.getName()); } else { String[] path = getLayerGroupPath(lg); node = root.getNode(path); } return node; }
@Test public void testMixedMode() throws Exception { DefaultResourceAccessManager wo = buildAccessManager("lockedDownMixed.properties"); assertEquals(CatalogMode.MIXED, wo.getMode()); }
private SecureTreeNode buildTree(String propertyFile) throws Exception { Properties props = new Properties(); props.load(getClass().getResourceAsStream(propertyFile)); return new DefaultResourceAccessManager( new MemoryDataAccessRuleDAO(catalog, props), catalog) .root; }
@Override public DataAccessLimits getAccessLimits(Authentication user, LayerInfo layer) { return getAccessLimits(user, layer, Collections.emptyList()); }
@Override public boolean canAccess(Authentication user, LayerInfo layer, AccessMode mode) { return canAccess(user, layer, mode, true); }
@Override public LayerGroupAccessLimits getAccessLimits( Authentication user, LayerGroupInfo layerGroup, List<LayerGroupInfo> containers) { boolean allowAccess = canAccess(user, layerGroup, containers == null || containers.isEmpty()); return allowAccess ? null : new LayerGroupAccessLimits(getMode()); }
@Test public void testUnknownMode() throws Exception { DefaultResourceAccessManager wo = buildAccessManager("lockedDownUnknown.properties"); // should fall back on the default and complain in the logger assertEquals(CatalogMode.HIDE, wo.getMode()); }